How to provide permission to access specific S3 Bucket Object to IAM Users?

To grant permission only to access the specific S3 Bucket object, you need to create the Policy under the IAM user.

Go to IAM in AWS console using the root/admin login.

https://console.aws.amazon.com

Under the Users, Select the Username to who you want to provide permission to access the S3 bucket.

You can Find the Permission Tab, where click on Add Permission or Add inline policy.

Add Permission will allow you to create new managed policy, and this can be applied to all users. Add inline Policy can be applied only to user.

Here I’m Clicking Add inline Policy and chose JSON option.

In the editor, you must write the policy to allow current IAM users to access only specific S3 Bucket object.

Find the Policy to achieve this, Here, you only allow the current user to access the S3 Bucket named “example-bucket” and the inner objects with full access.

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": "s3:*",             
             "Resource": [                 
                     "arn:aws:s3:::example-bucket",                 
                     "arn:aws:s3:::example-bucket/*"
             ]
         }
     ]
 }

Note: You can give the exact Bucket Name which you wish to provide the permission.

The above policy allows all the permissions, but this didn’t allow to make some permission, properties related operation which inside the Bucket.

Example Rename the object, Add Meta Data properties, Cut, Copy, and Paste between objects, these operations couldn’t be performed by the selected IAM user. To allow access to these operations, you need to add additional statement in the above policy like showed below.

"Statement": [
     {
       "Effect": "Allow",
       "Action": "s3:ListAllMyBuckets",
       "Resource": "arn:aws:s3:::*"
     }
 ]

This statement also gives permission to list all the buckets. But you can only allow to access the bucket you mentioned in earlier statement.

Find the final Policy which combine above two statements,

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": "s3:*",            
             "Resource": [                 
                      "arn:aws:s3:::example-bucket",                
                      "arn:aws:s3:::example-bucket/*"
             ]
         },
         {
             "Effect": "Allow",
             "Action": "s3:ListAllMyBuckets",
             "Resource": "arn:aws:s3:::*"
         }
     ]
 }

Once Added the Policy in Editor, Click Review Policy, it will validate and show any syntax error if exists, else proceed next which create this policy and applied under the IAM user’s permission.

Note:  You can also provide specific action permission by mentioning the exact actions.

"Action": [
     "s3:PutObject",
     "s3:PutObjectAcl",
     "s3:GetObject",
     "s3:GetObjectAcl",
     "s3:DeleteObject"
 ]
Advertisements

Leave a Reply